Splunk Enterprise Security

Field aliases don't always return the same number of results as the field being aliased

dsrvern
Explorer

Hi,

I'm using Splunk 6.6.3 with the Enterprise Security app, with access only to the web interface.

I have two indexes, each with the same sourcetype:

index=index1 sourcetype=WindowsEventLogs
index=index2 sourcetype=WindowsEventLogs

WindowsEventLogs contains the same fields in both indexes, as expected.

I created an alias named "dhost" which corresponds with the existing field "dest". The field alias has global permissions, readable to everyone.

Next, I obtained the count of "dest" and "dhost" from each index, specifying a 1 minute range from the time picker (9:55:00 - 9:55:59). The results show a different number of events for the original "dest" field, and the aliased "dhost" field:

index=index1 sourcetype=WindowsEventLogs | stats count(dest)       612 (612 events)
index=index1 sourcetype=WindowsEventLogs | stats count(dhost)      335 (612 events)

index=index2 sourcetype=WindowsEventLogs | stats count(dest)        19 (19 events)
index=index2 sourcetype=WindowsEventLogs | stats count(dhost)       4 (19 events)

I expected the numbers to match in each index. For example, I expected 335 to be 612, and I expected 4 to be 19.

I also tried the same scenario with "source" instead of "sourcetype" when creating the field alias, but the results were exactly the same.

Also, if I create a field alias for a sourcetype whose name isn't shared with any other indexes, the numbers for "dest" and "dhost" sometimes do match as I expected, and sometimes they do not.

Finally, I've read the Splunk docs, searched Google and answers.splunk.com, and can't find any mention of this behavior. Have I overlooked something? Shouldn't the count of the alias and the field being aliased be the same?

Thanks.

Update: I don't believe that field aliases are working properly. I've just created 7 aliases for a field in one sourcetype, and the search results are inconsistent:

index=foo sourcetype=bar | stats count(src),count(shost2),count(shost3),count(test123),count(asdf),count(test1234),count(asdf2),count(test12)

These are the results:

src: 43
shost2: 0
shost3: 0
test123: 15
asdf: 0
test1234: 15
asdf2: 0
test12: 15

That is not what I expect to see based on the definition of a field alias.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Enterprise Security uses app imports to selectively import apps and knowledge objects. If the app that you created one of the field aliases in is not being imported by Enterprise Security, that could explain some of the behavior you're seeing. I haven't experimented to confirm that this is the case, but it's something worth checking out.

0 Karma

peterchenadded
Path Finder

Not able to reproduce this. Is this happening in a single instance of Splunk?

Maybe the field alias setting hasn't been replicated correctly to all your indexers.

Are there any errors or warnings in your "inspect job" splunk.log?

0 Karma

dsrvern
Explorer

Thank you for your feedback, peterchenadded. Though I didn't find any related errors or warnings in the inspect job splunk.log, that did give me something new to look into for troubleshooting. It's possible the field alias isn't replicating correctly. I'll have to get someone else to investigate that.

@smoir - Thank you for your reply. I created the field alias within the Enterprise Security app (via Settings >> Fields >> Field aliases).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...